Accepting request 873760 from home:scabrero:krb5_1_19_test

- Update to 1.19.1
  * Fix a linking issue with Samba.
  * Better support multiple pkinit_identities values by checking whether
    certificates can be loaded for each value.

- Update to 1.19
  Administrator experience
    * When a client keytab is present, the GSSAPI krb5 mech will refresh
      credentials even if the current credentials were acquired manually.
    * It is now harder to accidentally delete the K/M entry from a KDB.
  Developer experience
    * gss_acquire_cred_from() now supports the "password" and "verify"
      options, allowing credentials to be acquired via password and
      verified using a keytab key.
    * When an application accepts a GSS security context, the new
      GSS_C_CHANNEL_BOUND_FLAG will be set if the initiator and acceptor
      both provided matching channel bindings.
    * Added the GSS_KRB5_NT_X509_CERT name type, allowing S4U2Self requests
      to identify the desired client principal by certificate.
    * PKINIT certauth modules can now cause the hw-authent flag to be set
      in issued tickets.
    * The krb5_init_creds_step() API will now issue the same password
      expiration warnings as krb5_get_init_creds_password().
  Protocol evolution
    * Added client and KDC support for Microsoft's Resource-Based Constrained
      Delegation, which allows cross-realm S4U2Proxy requests. A third-party
      database module is required for KDC support.
    * kadmin/admin is now the preferred server principal name for kadmin
      connections, and the host-based form is no longer created by default.
      The client will still try the host-based form as a fallback.

OBS-URL: https://build.opensuse.org/request/show/873760
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=243
This commit is contained in:
Michael Ströder 2021-02-19 12:56:34 +00:00 committed by Git OBS Bridge
parent 964a1412da
commit ceafe406ff
9 changed files with 130 additions and 36 deletions

View File

@ -1,4 +1,4 @@
From ff26447c1edc29bf69672f1a55f8bb1c3f20f582 Mon Sep 17 00:00:00 2001
From cb49731c07ee57f64bd5a93a182446bc834b9057 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 23 Aug 2016 16:29:58 -0400
Subject: [PATCH 1/8] ksu pam integration
@ -30,10 +30,10 @@ Last-updated: krb5-1.18-beta1
create mode 100644 src/clients/ksu/pam.h
diff --git a/src/aclocal.m4 b/src/aclocal.m4
index 2394f7e33..53f8b6fb7 100644
index 024d6370c..43eed3b87 100644
--- a/src/aclocal.m4
+++ b/src/aclocal.m4
@@ -1675,3 +1675,71 @@ if test "$with_ldap" = yes; then
@@ -1677,3 +1677,71 @@ if test "$with_ldap" = yes; then
OPENLDAP_PLUGIN=yes
fi
])dnl
@ -144,11 +144,11 @@ index 8b4edce4d..9d58f29b5 100644
clean:
$(RM) ksu
diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c
index 4f03dd8ed..21a4d02bb 100644
index af1286172..931f05404 100644
--- a/src/clients/ksu/main.c
+++ b/src/clients/ksu/main.c
@@ -26,6 +26,7 @@
* KSU was writen by: Ari Medvinsky, ari@isi.edu
* KSU was written by: Ari Medvinsky, ari@isi.edu
*/
+#include "autoconf.h"
@ -174,7 +174,7 @@ index 4f03dd8ed..21a4d02bb 100644
/***********/
#define KS_TEMPORARY_CACHE "MEMORY:_ksu"
@@ -535,6 +541,23 @@ main (argc, argv)
@@ -536,6 +542,23 @@ main (argc, argv)
prog_name,target_user,client_name,
source_user,ontty());
@ -198,7 +198,7 @@ index 4f03dd8ed..21a4d02bb 100644
/* Run authorization as target.*/
if (krb5_seteuid(target_uid)) {
com_err(prog_name, errno, _("while switching to target for "
@@ -595,6 +618,24 @@ main (argc, argv)
@@ -596,6 +619,24 @@ main (argc, argv)
exit(1);
}
@ -223,7 +223,7 @@ index 4f03dd8ed..21a4d02bb 100644
}
if( some_rest_copy){
@@ -652,6 +693,30 @@ main (argc, argv)
@@ -653,6 +694,30 @@ main (argc, argv)
exit(1);
}
@ -254,7 +254,7 @@ index 4f03dd8ed..21a4d02bb 100644
/* set permissions */
if (setgid(target_pwd->pw_gid) < 0) {
perror("ksu: setgid");
@@ -749,7 +814,7 @@ main (argc, argv)
@@ -750,7 +815,7 @@ main (argc, argv)
fprintf(stderr, "program to be execed %s\n",params[0]);
}
@ -263,7 +263,7 @@ index 4f03dd8ed..21a4d02bb 100644
execv(params[0], params);
com_err(prog_name, errno, _("while trying to execv %s"), params[0]);
sweep_up(ksu_context, cc_target);
@@ -779,16 +844,35 @@ main (argc, argv)
@@ -780,16 +845,35 @@ main (argc, argv)
if (ret_pid == -1) {
com_err(prog_name, errno, _("while calling waitpid"));
}
@ -759,10 +759,10 @@ index 000000000..d45b9fd84
+void appl_pam_cleanup(void);
+#endif
diff --git a/src/configure.ac b/src/configure.ac
index 234f4281c..d1f576124 100644
index 4eb080784..693f76a81 100644
--- a/src/configure.ac
+++ b/src/configure.ac
@@ -1390,6 +1390,8 @@ AC_SUBST([VERTO_VERSION])
@@ -1389,6 +1389,8 @@ AC_SUBST([VERTO_VERSION])
AC_PATH_PROG(GROFF, groff)
@ -772,5 +772,5 @@ index 234f4281c..d1f576124 100644
if test "${localedir+set}" != set; then
localedir='$(datadir)/locale'
--
2.25.0
2.30.0

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:e61783c292b5efd9afb45c555a80dd267ac67eebabca42185362bee6c4fbd719
size 8715312

View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEExEk8tzn0qJ+YUsvCDLoIV1+Dct8FAl+0QQcACgkQDLoIV1+D
ct8i0RAAtxhG66nmOSgL5xQ+kuTd1Gnq4GZjlAaAFKwU7xQX9wGctJNw5wThT+Ot
X8CtUXAUqZKO1odWsdiDRUV++C3ppTZdHLzo2UUzp0YbjSsMf2e/ZLolEwthJkQt
4eaqsUWTNHcePKlS9zsXdEUNRrjhzjDWS93Ppp1bLH1zQrUaPOEtLjkxY7r2yBgX
SsJIe6/W9sv0WlndWhQBfPfCE5wQmIbYDDHxCrWabnLwzsLM4HCJSnEC02oMZIAS
UiijoubyZS0UJ97EKzJLOgUr7B8h8cUmPru99FUvQfkWsTTLqt1yD5wHji8BiRU4
Wh1z4y/E75E6GQybf97LY+x5czJbMycszteju6s/C9QHHeUoIgfpkVkoBBy4KufQ
t4fbzR7o5W1l1mdJ0s6IBwO0O97LTW2qQ7fLhIleB9jF+c1DEowBE4/Naq/NGkn5
zMagwYcU583mUtk4boR6boLzsym0841+w14DN9hDBJ1fmI8OpKy5DE90aWSg/7qo
98J0H4gq0IZTd00QymDI8JQ97NF9mmaF+tKg1PCF77EP12nk1OnJ/X9etvNy+V8L
gWV6IAgJr8q1qLWh3FopCghI9sBDQBbM/cdgv/5jCTVKyH9zUzkw00K+Nvk26mFg
e3x3fN1soV6rEkZmtVM+e5l0NiIR1/0A2cX/SYJ8f+kB6XgW11Y=
=bdBU
-----END PGP SIGNATURE-----

3
krb5-1.19.1.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:fa16f87eb7e3ec3586143c800d7eaff98b5e0dcdf0772af7d98612e49dbeb20b
size 8738142

16
krb5-1.19.1.tar.gz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEExEk8tzn0qJ+YUsvCDLoIV1+Dct8FAmAuntAACgkQDLoIV1+D
ct8TIhAArFittFBcz4ZfMxqhHVGdK6kOeQXrrV27d3FW6y28BvS7yHJ8CkyK+I3g
4rsaaf7srkH8jaiCjmjHC2rWJIuceOwkD4GRqXtb2CiqKxXI9eZ+g9ipB7DGKixg
+1nki7mOhd3oaeUkCRFXgyiOqSE/ird7/itLYzEoAroLpTazNp6Kk4gXmhJIENlq
dj1God+JxhuwzzWZRdsy2SyvMQPQMOTIilsXRboObZFvPrhZKkJmgNm+RzU/YRSg
/1Po7takBXq8qhgnwPHTnTPb+BYRdrqQc/a2WcmEdgbzeMpijNmkFsgAFeKDijSz
1nmFO4SQd/rAfgUovkDd+GMAYZ6DCLFqoI/WeKOgCrRMxJMMRbLlr48bTvMwjuIl
xE5gy8h2Iju/UP1lxz8KheCm/FyNzNw4pe74zbGgK5fdiEQ8xNlKZOs9LRrtvyfL
j1G+IX6cK+5yTo/NceYjnHVAatbuW6C6xJmsIQ1GYdMPvto7Wctq/4/BmwxqgFAJ
HCPuQgAGi875JpPYvi/c3tioRiIPwOz54CXCrcFyKELvgHi6lGN6MRNSzAP4QdA0
HlXZQ4/4NFOJxjLGu9ZXKUbYPaGizhI+ayzg5/RJLHPIgW7yLvwFqkBIa1xs26bA
xiP5JKuDC4mqDPwVjwpufkUBH6SoBFnbiIWEYSKVPLJFw+Dbhv0=
=PP6r
-----END PGP SIGNATURE-----

View File

@ -1,3 +1,50 @@
-------------------------------------------------------------------
Fri Feb 19 12:10:25 UTC 2021 - Samuel Cabrero <scabrero@suse.de>
- Update to 1.19.1
* Fix a linking issue with Samba.
* Better support multiple pkinit_identities values by checking whether
certificates can be loaded for each value.
-------------------------------------------------------------------
Fri Feb 5 10:36:51 UTC 2021 - Samuel Cabrero <scabrero@suse.de>
- Update to 1.19
Administrator experience
* When a client keytab is present, the GSSAPI krb5 mech will refresh
credentials even if the current credentials were acquired manually.
* It is now harder to accidentally delete the K/M entry from a KDB.
Developer experience
* gss_acquire_cred_from() now supports the "password" and "verify"
options, allowing credentials to be acquired via password and
verified using a keytab key.
* When an application accepts a GSS security context, the new
GSS_C_CHANNEL_BOUND_FLAG will be set if the initiator and acceptor
both provided matching channel bindings.
* Added the GSS_KRB5_NT_X509_CERT name type, allowing S4U2Self requests
to identify the desired client principal by certificate.
* PKINIT certauth modules can now cause the hw-authent flag to be set
in issued tickets.
* The krb5_init_creds_step() API will now issue the same password
expiration warnings as krb5_get_init_creds_password().
Protocol evolution
* Added client and KDC support for Microsoft's Resource-Based Constrained
Delegation, which allows cross-realm S4U2Proxy requests. A third-party
database module is required for KDC support.
* kadmin/admin is now the preferred server principal name for kadmin
connections, and the host-based form is no longer created by default.
The client will still try the host-based form as a fallback.
* Added client and server support for Microsoft's KERB_AP_OPTIONS_CBT
extension, which causes channel bindings to be required for the
initiator if the acceptor provided them. The client will send this
option if the client_aware_gss_bindings profile option is set.
User experience
* kinit will now issue a warning if the des3-cbc-sha1 encryption type is
used in the reply. This encryption type will be deprecated and removed
in future releases.
* Added kvno flags --out-cache, --no-store, and --cached-only
(inspired by Heimdal's kgetcred).
-------------------------------------------------------------------
Thu Nov 19 09:30:13 UTC 2020 - Samuel Cabrero <scabrero@suse.de>

View File

@ -1,7 +1,7 @@
#
# spec file for package krb5-mini
#
# Copyright (c) 2020 SUSE LLC
# Copyright (c) 2021 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -24,7 +24,7 @@
%define _fillupdir %{_localstatedir}/adm/fillup-templates
%endif
Name: krb5-mini
Version: 1.18.3
Version: 1.19.1
Release: 0
Summary: MIT Kerberos5 implementation and libraries with minimal dependencies
License: MIT

View File

@ -1,3 +1,50 @@
-------------------------------------------------------------------
Fri Feb 19 12:10:25 UTC 2021 - Samuel Cabrero <scabrero@suse.de>
- Update to 1.19.1
* Fix a linking issue with Samba.
* Better support multiple pkinit_identities values by checking whether
certificates can be loaded for each value.
-------------------------------------------------------------------
Fri Feb 5 10:36:51 UTC 2021 - Samuel Cabrero <scabrero@suse.de>
- Update to 1.19
Administrator experience
* When a client keytab is present, the GSSAPI krb5 mech will refresh
credentials even if the current credentials were acquired manually.
* It is now harder to accidentally delete the K/M entry from a KDB.
Developer experience
* gss_acquire_cred_from() now supports the "password" and "verify"
options, allowing credentials to be acquired via password and
verified using a keytab key.
* When an application accepts a GSS security context, the new
GSS_C_CHANNEL_BOUND_FLAG will be set if the initiator and acceptor
both provided matching channel bindings.
* Added the GSS_KRB5_NT_X509_CERT name type, allowing S4U2Self requests
to identify the desired client principal by certificate.
* PKINIT certauth modules can now cause the hw-authent flag to be set
in issued tickets.
* The krb5_init_creds_step() API will now issue the same password
expiration warnings as krb5_get_init_creds_password().
Protocol evolution
* Added client and KDC support for Microsoft's Resource-Based Constrained
Delegation, which allows cross-realm S4U2Proxy requests. A third-party
database module is required for KDC support.
* kadmin/admin is now the preferred server principal name for kadmin
connections, and the host-based form is no longer created by default.
The client will still try the host-based form as a fallback.
* Added client and server support for Microsoft's KERB_AP_OPTIONS_CBT
extension, which causes channel bindings to be required for the
initiator if the acceptor provided them. The client will send this
option if the client_aware_gss_bindings profile option is set.
User experience
* kinit will now issue a warning if the des3-cbc-sha1 encryption type is
used in the reply. This encryption type will be deprecated and removed
in future releases.
* Added kvno flags --out-cache, --no-store, and --cached-only
(inspired by Heimdal's kgetcred).
-------------------------------------------------------------------
Thu Nov 19 09:30:13 UTC 2020 - Samuel Cabrero <scabrero@suse.de>

View File

@ -1,7 +1,7 @@
#
# spec file for package krb5
#
# Copyright (c) 2020 SUSE LLC
# Copyright (c) 2021 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -21,7 +21,7 @@
%define _fillupdir %{_localstatedir}/adm/fillup-templates
%endif
Name: krb5
Version: 1.18.3
Version: 1.19.1
Release: 0
Summary: MIT Kerberos5 implementation
License: MIT